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ABSTRACT 



A detection method of an illegal access to a computer system 
includes a step a) of collating user identification information 
inputted from an input unit in one or more log-in operations 
with user authentication information registered in the com- 
puter system, a step b) of detecting the number of times that 
the identification information is not coincident with the 
authentication information in a series of log-in operations 
within a predetermined term, a step c) of obtaining final 
log-in information indicating whether the identification 
information is coincident with the authentication informa- 
tion or not in a final log-in operation, and a step d) of 
comparing the number of times in respect to the incoinci- 
dence and the final log-in information with a predetermined 
judgment standard to thereby detect the presence of the 
illegal access. 

16 Claims, 9 Drawing Sheets 
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DETECTION METHOD OF ILLEGAL 
ACCESS TO COMPUTER SYSTEM 

BACKGROUND OF THE INVENTION 

The present invention relates to a personal authentication 
method relative to an operator of a computer system and 
more particularly to a computer system which performs 
authentication on the basis of the fact that a password 
inputted from an input unit such as a keyboard is equal to a 
previously registered password. 

In order to authenticate whether a user has the right to 
operate a computer system or not when the user operates the 
computer system a system is widely used in which the user 
is caused to input a password from the keyboard or the like 
and which performs authentication on the basis of the fact 
that the inputted password is equal to a previously registered 
password. This authentication is heretofore utilized as detec- 

Ition measures of illegal utilization of a computer system. For 
example, as described in ON-LINE MANUAL, Login (1) of 
HP-UX 90, when incorrect passwords are inputted by a 
prescribed number of times such as three times continuously 
or when the authentication is not completed during a pre- 
scribed time such as, for example, one minute, connection 
between the terminal and the computer system is cut off and 
the event thereof is recorded. As described in Paragraph 2.2 
Security Function "User Account Security" of Windows NT 
3.5 Security/Superintendence Guide (written by Microsoft 
Corporation, editorially translated by ASCII Network 
Technology, translated by ASCII Techwrite and published 
by ASCII, ISBN4-1017-7), when an incorrect pass word is 
input by a prescribed number of times or more continuously, 
the occurrences are recorded and are notified to a supervisor 
or manager. 

Further, information relative to a terminal operated by a 
user is recorded, while the information is not utilized for 
detection of an illegal access. In the TCP wrapper which is 
a free software available from ftp://ftp.aistnara.ac.jp/pub/ 
Secruity/tools/lcp_wrappers on the Internet, for example, 
utilization by specific terminals or other terminals except 
specific terminals is judged as illegal. 

Furthermore, Japanese Patent Application laid-open No. 
JP-A-6-6347 discloses a method of monitoring the security 
on a network concentratedly. 

Moreover, Japanese Patent Application laid-open No. 
JP-A-7-264178 discloses a system which specifies a place 
on a LAN of occurrence of an illegal access by means of 
information obtained from a relay apparatus. 

The above-described conventional methods have the fol- 
lowing problems. 

In the system in which if a user fails in log-in even once 
the failure is adapted to be recorded, a failure is recorded 
even when a just user inputs a wrong password. It is difficult 
for a manager to judge whether the failure is caused by 
illegal utilization or merely wrong inputting. 

When an illegal user inputs wrong passwords by the 
number of times (for example, two times) smaller than a 
prescribed number of times continuously in the method that 
connection is cut off if a user inputs wrong passwords by the 
prescribed number of times (for example, three times) 
continuously or when an illegal user cuts off connection by 
himself within a time shorter than a prescribed time (for 
example, one minute) in the method that connection is cut 
off if authentication is not completed during the prescribed 
time, such an possible act of illegal utilization cannot be 
recorded and naturally it is impossible to judge whether 
intrusion is made actually by illegal action or not. 
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Further, when wrong passwords are continuously inputted 
over a prescribed number of times in the system in which 
when authentication using a password fails the failure is 
recorded in a log, a lot of failure data in authentication are 
5 outputted and other important messages are buried. 

Furthermore, since a time interval of counting failures is 
not provided in the above prior art, intrusion events having 
an inclination to be generally concentrated in a specific time 
zone cannot be seized. 
10 When accesses are made from a plurality of places by 
using an account given to the same person, such acts or 
events are considered to be illegal utilization, while there is 
not provided means for detecting such events effectively. 

is SUMMARY OF THE INVENTION 

It is an object of the present invention to provide a method 
of improving the reliability of detection of an illegal access 
to a computer system. 

2Q It is another object of the present invention to provide a 
method capable of performing management of occurrent of 
an illegal access to a computer system effectively. 

It is a further object of the present invention to provide a 
recording medium for storing therein a computer program 

25 for detecting an illegal access to a computer system. 

According to one aspect of the present invention, the 
detection method of an illegal access to a computer system 
according to the present invention, comprises a step a) of 
collating user identification information inputted from an 

30 input unit in one or more log-in operations with user 
authentication information registered in the computer 
system, a step b) of detecting the number of times that the 
identification information is not coincident with the authen- 
tication information in a series of log-in operations within a 

35 predetermined term, a step c) of obtaining final log-in 
information indicating whether the identification informa- 
tion is coincident with the authentication information or not 
in a final log-in operation, and a step d) of comparing the 
number of times in respect to the incoincidence and the final 

40 log-in information with a predetermined judgment standard 
to thereby detect the presence of the illegal access. 

According to another aspect of the present invention, the 
detection method of an illegal access to a computer system 
according to the present invention, comprises a step a) of 

45 recording user identification information inputted from an 
input unit in a log-in operation and terminal identification 
information of a computer terminal in which the log-in 
operation is performed, a step b) of detecting the number of 
computer terminals when log-in operations are performed 

50 from a plurality of computer terminals by using identical 
user identification information, and a step c) of judging that 
there is an illegal access when the number of computer 
terminals detected in the step b) reaches a predetermined 
reference value. 

55 According to an aspect of the present invention, in a 
medium for recording a computer program for detecting an 
illegal access to a computer system, computer code means 
comprise means for collating user identification information 
inputted from an input unit in one or more log-in operations 

60 with user authentication information registered in the com- 
puter system, means for detecting the number of times that 
the identification information is not coincident with the 
authentication information in a series of log-in operations 
within a predetermined term, means for obtaining final 

65 log-in information indicating whether the identification 
information is coincident with the authentication informa- 
tion or not in a final log-in operation, and meaas for 
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comparing the number of times in respect to the incoinci- 
dence and the final log-in information with a predetermined 
judgment standard to thereby detect the presence of the 
illegal access. 

Other objects and embodiments of the present invention 5 
will become clear from detailed following description taken 
in connection with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

10 

FIGS. 1A and IB illustrate an example of normal access 
and an example of illegal accesses; 

FIG. 2 is a schematic diagram illustrating a computer 
system to which the present invention is applied; 

FIG. 3 is a flow chart showing a procedure for detecting 15 
an illegal access by considering on the basis of log infor- 
mation whether log-in is successful finally or not; 

FIG. 4 is a flow chart showing a procedure for detecting 
an illegal access by considering in real time whether log-in 
is successful finally or not; 20 

FIG. 5 is a flow chart showing a procedure for investi- 
gating intrusion from a plurality of places on the basis of log 
information to detect an illegal access; 

FIG. 6 illustrates a software structure for realizing the 25 
present invention; 

FIG. 7 shows an example a monitoring picture screen of 
a managing computer; 

FIG. 8 shows a format of log information; and 

FIG. 9 is a flow chart showing processing procedure 30 
performed after detection of an illegal access. 

DETAILED DESCRIPTION OF THE 
PREFERRED EMBODIMENTS 

35 

FIG. 2 schematically illustrates a computer network sys- 
tem according to an embodiment of the present invention. 
The computer network system includes a plurality of local 
computers 201 which are directly operated by users, a 
plurality of remote computers 210 which are remotely 40 
operated by users, and a managing computer 220 for man- 
aging or controlling the computers 201 and 210, and these 
computers 201, 210 and 220 are connected to one another 
through a communication network 232. 

There is a case where the managing computer 220, the 45 
remote computer 201 and the local computer 201 are con- 
stituted by a single computer. In this case, the communica- 
tion network 232 is a data transmission path within the 
computer. Further, there is a case where the remote computer 
210 and the local computer 201 are constituted by a single 50 
computer. Alternatively, there is a case where another com- 
bination of computers are constituted by a single computer. 

The local computer 201 includes a central processing unit 
202, a main memory 203, an input unit 204 such as a 
keyboard, an output unit 205 such as a display and a network 55 
controller 206. Further, the remote computer 210 includes a 
central processing unit 211, a main memory 212, a disk unit 
213, a disk controller 214 and a network controller 215. 
Moreover, the managing computer 220 includes a central 
processing unit 221, a main memory 222, a disk unit 223, a 60 
disk controller 224, a network controller 225, an input unit 
228 such as a keyboard and an output unit such as a display. 
In addition, the managing computer 220 stores illegal access 
judgment standard information 229 for judging an illegal 
access in the disk unit 223 and can transmit the information 65 
to the remote computer 210 through the network 232. The 
remote computer 210 receives the illegal access judgment 
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standard information 229 from the managing computer 220 
and stores it as illegal access judgment standard information 
217 in the disk unit 213. A user operates the input unit 204 
of the local computer 201 and logs in the remote computer 
210 through the network to utilize the remote computer. The 
remote computer 210 is responsive to the log-in operation by 
the user from the local computer 201 to store an input time 
802, a user's name 803 and information 804 as to whether 
the user could have inputted a password exactly to perform 
the log-in operation or could have inputted a wrong pass- 
word not to perform the log-in operation, a name 805 of the 
local computer 201 and a name 806 of the input unit 204 
used together with the local computer, as log information 
216, in the disk unit 213. 

In the log-in operation, the user inputs the user's name (or 
user's identification number or code) and the password by 
means of the keyboard 204. The local computer 201 pre- 
pares the log information as shown in FIG. 8 in response to 
the log-in operation. The log information is transferred to the 
remote computer 210 or the managing computer 220. 
Further, the log information is also prepared upon the 
log-out operation. The log information includes information 
801 indicating whether the event is the log-in or log-out 
operation, the time 802 that the log-in or log-out operation 
is performed, the user's name (or user's identification num- 
ber or code) 803, information 804 indicative of success or 
failure of the log-in or the log-out operation, the name 805 
of the computer (log-in computer) which has performed the 
authentication processing of the user in the log- in operation 
and a name 806 of the computer (input computer) used 
directly by the user in the log -in operation. A place of a 
terminal from which the log-in operation has been per- 
formed can be sometimes specified on the basis of the user's 
name 803, the name 805 of the local computer or the name 
806 of the input computer. 

When the log-in operation is performed, the local com- 
puter 201 collates the user's name which is the user's 
identification information and a password with right user's 
name and password in authentication information previously 
registered in the computer. When the inputted user's name 
and password are coincident with or agree with the authen- 
tication information, the log-in operation is allowed. When 
the log-in operation is allowed, the information indicative of 
success of the log-in operation is written in the log infor- 
mation 804. 

Further, it is not limited that the log-in operation is 
performed by the keyboard 204. For example, inputting by 
an IC card in which the user's identification information is 
stored, inputting by voice or inputting by designating infor- 
mation displayed in a picture screen of the display 205 by 
means of a mouse operated by a user may be used to make 
the log- in operation. Moreover, the picture screen of the 
display 205 may provide touch panel type input means. 

The local computer 201 employs the illegal access judg- 
ment standard information 217 to execute the illegal access 
detection processing described in detail later. When the 
log-in operation is judged to be the illegal access in the 
illegal access detection processing, the local computer 201 
notifies illegal access information to the managing computer 
220 and records it in the disk unit 213. When the managing 
computer 220 cannot receive the illegal access information, 
the local computer 201 transmits the illegal access informa- 
tion to the managing computer 220 repeatedly until the 
managing computer 220 can receives the information. When 
the managing computer 220 receives the illegal access 
information, the managing computer records the illegal 
access information and displays the message in a display 
console to inform it to the operator. 
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There are following four different ways for detecting the The illegal access judgment standard (217 of FIG. 2) is 

illegal access. defined as "when an exact password could be inputted by the 

(1) The local computer 201 detects the existence or number of times smaller than or equal to the prescribed 

absence of a illegal access every time when a log-in event numbe 1 r of L times ^ ithin a P^ ibe ?„ time ' the 15 

occurs 5 normal, otherwise the access is illegal . An example where 

. . , . , the prescribed number of times is four times and the pre- 

(2) -Hie log-in information is transferred from a local ^ ^ 0Qe mimUe {s descdbed . In FIG> 1A> all of 

computer 201 to a managing computer 220 every time when log . in operations iqi l0 104 within one minute starting from 

a log-in event occurs, and the managing computer 220 ^ fifSt { m iQQ 1Q1 are unsuoccssfilL Further7 

detects the existence or absence of a illegal access every , in tions 102 t0 105 ^ ihin one minute from the 

time when the log-m information is transferred. ^ operatioD are dso unsuccessful. However, in 

(3) The log-m information are stored in a remote com- a final log _ m operation 106 of the log-in operations 103 to 
puter 210. After a predetermined time or in response to the ^6 within one minute from the third log-in operation, an 
request from the managing computer 220, the log-in infer- exact user's name and password are inputted. Accordingly, 
mation are transferred from the local computer 201 to the 15 tnese operations are regarded as a series of processing and 
managing computer 220, and the managing computer 220 t his access ioo is judged to be the exact access. In FIG. IB, 
detects the existence or absence of a illegal access on the log . m operations 107 to 110 are all unsuccessful and further 
basis of the log-in information. log . in operations 108 to 111 within one minute from the 

(4) The log-in information are transferred to and stored in second log-in operation are also all unsuccessful, 
a managing computer 220 every time when a log-in event 20 Furthermore, log-in operations 109 to 112 within one minute 
occurs. The managing computer 220 detects the existence or from the third log-in operation are all unsuccessful even in 
absence of a illegal access on the basis of the log-in the final log-in operation 112. Thereafter, there is no log-in 
information. operation. Accordingly, it is regarded that a series of authen- 

FIG. 6 illustrates a software structure of an embodiment tication processing has been finished at the time when one 

of the present invention. In the software structure of FIG. 6, 2 5 minute elapsed from the third log-in operation and since the 

the log information is accumulated in the remote computer log-in operations are unsuccessful within one minute, it is 

and the accumulated log information is transferred to the regarded as the authentication being unsuccessful and the 

managing computer collectively at a proper timing in the access 120 is judged to be illegal. 

system configuration illustrated in FIG. 2. A managing The above processing includes the method of judging in 

computer 601 includes components for realizing the func- 30 the real time whether the access is illegal or not when 

tions of the present invention and constructed in an operat- inputting is made by a user and the method of recording 

ing system 603 for controlling the hardware of the computer. user's action in the log and judging whether the access was 

Ajr ule management unit 6 07 serves, to register, delete or illegal or not later. 

change^ the ab^ve^mentioned Hkgal access standVrTuifoT^ FIG. 3 shows an example of the above processing pro- 

~ n^afionJl^(log~analysis rule), the standard '(filtering" riile) "35 cedure. This procedure is considered to be performed by two 

ToTfi'ltering log information collected in a computer 602 methods so that in one method the procedure is performed 

(remote computer 210) to be managed and the standard (log by the log analysis unit 608 of the managing computer and 

file management rule) for managing the capacity of a data in the other method the procedure is performed by reading 

base 609 and a normalized log file 616. A log analysis unit ou t normalized log in the computer to be managed (a 

608 functions to analyze the log information collected from 40 processing portion of the latter is not shown in FIG. 6). In 

the computer to be managed in accordance with the regis- this procedure, the log in which the user's action is recorded 

tered log analysis rule and accumulated in the data base 609. is rea d out to thereby judge whether the access is illegal or 

A rule delivery unit 610 controls to deliver the filtering rule no t. Further, in this procedure, when wrong passwords are 

and the log file management rule registered in the rule inputted by a user, it is not judged from only the number of 

management unit to the computer to be managed and a log 45 times of wrong operations occurring continuously that the 

collection unit 618 controls to collect log information from operations are illegal and whether the operations are illegal 

the computer to be managed. On the other hand, the local 0 r not is judged on the basis of the fact as to whether the final 

computer 602 to be managed includes components con- operation of a series of inputting operations (log-in 

structed in an operating system 604 to realize the functions operations) is successful or not. The log format therefor is 

of the present invention in the same manner as the managing 50 required to record therein a user's name 803 inputted by the 

computer. A log collection unit 613 collects access log user, judgment result 804 as to whether a password is just or 

gathered by the operating system 604 periodically and not, and time information 802 that user's inputting is made 

converts the collected log into a common format designated a s shown in FIG. 8. In step 301, first input log data (FIG. 8) 

previously by a log normalization unit 612. Further, the log is read out. In next step 302, a detection flag indicative of 

collection unit 613 stores only information specified in 55 detection of illegal access is reset to an initial value and a 

accordance with the filtering rule designated by the manag- wrong input counter is reset to zero. In step 303, it is 

ing computer in a normalized log file 616. A normalized log examined whether the log-in operation is successful or not. 

collection unit 611 transfers the log information converted When the log-in operation is successful, authentication is 

into the common format to the managing computer at a completed in step 304. When the log-in operation is 

proper timing (for example, when there is an indication from 6 o unsuccessful, the input time thereof is registered as a start 

the managing computer). Further, communication control time for a series of processing in step 305. In step 306, the 

between the managing computer and the computer to be expected time of completion is calculated and registered. In 

managed is realized by means of a logical communication next step 307, the continuously wrong input counter is 

path 617 provided by basic communication control units 605 incremented by one. In step 308, a count of the continuously 

and 606 of the operating systems. 65 wron g input counter is examined. When the count is larger 

FIGS. LA and IB show examples for illustrating the than or equal to the prescribed number of times (for 

illegal access judgment standard in the present invention. example, 4), the detection flag is set in step 309. In next step 
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310, it is examined whether next log-in data is present or not. operation is successful. When the end time is reached or 

When the next log-in data is not present, the process is when the number of times for failures of authentication is 

finished in step 311. When the next data is present, the next larger than or equal to the prescribed number of times, the 

data is read in step 312 and a record time or an input time number of times for continuously wrong inputs is examined 

of the next data is compared with the expected time of s ^ step 413. When the number of times for continuously 

completion calculated above in step 313. When the expected wrong inputs is larger than or equal to the illegal access 

time of completion is earlier than the input time, it is judged standards, it is judged that the access is illegal in step 414, 

that the series of processing is completed in step 314. In step so that an alert is produced and the illegal access is recorded 

315, the detection flag is examined. When the detection flag in the log. The process is finished as the failure of authen- 

is set, occurrence of an illegal access is recorded and notified io tication. The production of the alert is made by displaying 

in step 316. Then, the process is returned to step 302 and the occurrence of illegal access on a display screen by a loud . 

above processing is repeated. When the input time of data is color or remarkable shape or on-and-off light information or 

earlier than the expected time of completion, it is examined producing warning sound to notify the illegal access to the 

whether the log-in operation is successful or not in step 317. manager positively. 

When it is unsuccessful, the process is returned to step 306 15 An illegal access detection method according to a further 
and the above processing is repeated. When it is successful, embodiment of the present invention is now described. The 
it is examined whether the detection flag is set or not in step illegal access judgment standard (217 of FIG. 2) in this 
318. When it is set, it is judged that there was an illegal embodiment is defined as "it is judged that there is illegal 
access in step 319. In step 320, the authentication is com- utilization when log-in operations have been made by the 
pleted. In the above example, the expected time of comple- 20 same user's name from a plurality of different terminals 
tion is calculated again to be updated in step 306. When an (local computers)". This procedure is considered to be 
illegal access is to be examined more strictly, another performed by two methods so that in one method the 
method is considered in which the expected time of comple- procedure is performed by the log analysis unit 608 of the 
tion is left as it has been calculated first in step 306 and the managing computer and in the other method the procedure 
update processing is not performed. That is, after the pro- 25 is performed by reading out normalized log in the computer 
cessing in step 317, the process is returned to step 307 as to be managed (a processing portion of the latter is not 
shown by broken line. shown in FIG. 6). One user can exist at only one place 
Referring now to FIG. 4, the processing procedure that the geographically. For example, one user cannot touch or use 
illegal access is processed in the real time while gathering terminals provided in Tokyo and Osaka at the same time, 
log is described. It is considered that this processing proce- 30 When log- in operations performed in two or more different 
dure is performed by two methods so that in one method the places are detected, it is considered that illegal access is 
log analysis unit 608 performs the illegal access detection made. That is, when log-in operations are made to one 
processing every time one log is transferred to the managing machine from a plurality of terminals through a network, it 
computer in each log-in operation in FIG. 6 and in the other is considered that the operations are made by an illegal user, 
method the illegal access detection process is performed 35 The illegal access judgment standard information including 
every time one log is normalized in the computer to be information relative to geographical positions where termi- 
managed (managing computer) (a processing portion of the nals are located, information relative to judgment as to 
latter is not shown in FIG. 6). In the processing procedure whether operations performed by a plurality of terminals 
performed in the configuration of FIG. 6, first, the detection used at the same time are illegal access or not (considering 
flag and the input counter are reset in step 401. In next step 40 areas where the plurality of terminals are located), informa- 
402, an event of user's inputting of authentication informa- tion relative to the number of terminals used at the same time 
tion including a set of user's name and password by means to perform operations that are considered as illegal utiliza- 
of the keyboard or the like is awaited. In step 403, an input tion and information relative to combination of the above 
time is registered as a start time of the series of processing. information or conditions is previously prepared and stored 
It is examined whether the user's identification information 45 in the memory. First, description is made to the processing 
is coincident with the registered authentication information of inspecting whether there is illegal utilization or not on the 
and the log-in operation is successful or not in step 404. basis of data recorded in log. Log data includes, as shown in 
When it is successful, counts of various counters which FIG. 8, information relative to user's name, discrimination 
made counting during the series of processing are read in of log-in information or log-out information and position of 
step 405. When the counts are larger than or equal to the 50 a used terminal. The position information of the terminal is 
previously defined illegal access standards, it is regarded to specify a place where an input terminal such as an actual 
that there is the possibility that the access is illegal in step keyboard is located as an input source when log-in infor- 
406. In step 407, after an alert is produced and the illegal mation is transmitted through a multi-stage of network, 
access is recorded, the authentication is completed. When However, when the position information of the terminal 
the log-in operation is unsuccessful, a fixed time is added to 55 cannot specify the place, place information of a terminal 
the current time to calculate the expected time of completion which has made latest inputting is sometimes used instead 
and register it in step 408. In next step 409, the continuously while understanding reduction of detection accuracy, 
wrong input counter is incremented by one. In step 410, it is Further, information relative to a terminal being used cur- 
examined whether a count of the continuously wrong input rently is recorded for each user in a work area used in 
counter is smaller than the prescribed number of times or 60 detection processing. 

not. When the count is smaller than the prescribed number FIG. 5 is a flow chart showing the above log analysis 

of times, inputting of the authentication information (next processing procedure. This processing procedure is per- 

log) is awaited again until the end time in step 411. After log formed by two methods including one method in which the 

information has been inputted, it is examined whether the log analysis unit of the managing computer successively 

end time is reached or not in step 412. When the input 65 reads out the log from the data base to perform judgment as 

operation has been made before the end time, the process is to an illegal access and the other method in which each time 

returned to the judgment step 404 as to whether log-in the log-in/log-out operation is performed in the local 
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computer, judgment as to an illegal access is performed 
while referring to the log information outputted in the disk 
unit in the real time. In first step 501, the work area is 
cleared. In next step 502, the illegal access standard is read 
out from the memory unit. In step 503, it is judged whether 5 
there is log data which are not processed yet or not. When 
all of data have been processed already, the processing is 
finished in step 504. When data remain still, first log-in data 
is read out from recorded log information in step 505. In next 
step 506, it is examined whether the read data is log-in data 10 
or log-out data. When the read data is the log-out 
information, In step 507, a recorded value of the number of 
terminals used by the user is decremented by one. In step 
508, log-in information from the terminal position is deleted 
and the process is returned to step 503. When the read data 35 
is the log-in information, the recorded value of the number 
of terminals used by the user is incremented by one and the 
position of the terminal used by the user is recorded in step 
510. In step 511, the number of terminals and the position 
information of terminals used by the user and previously 20 
registered geographical information of terminals are collated 
with the illegal access standard. When it is judged that the 
log-in operation is illegal in step 512, it is recorded in step 
513 and an alert is produced in step 514, Then, the process 
is returned to step 503 and the above procedure is repeated, 25 

More particularly, the above embodiment is performed by 
following two methods in brief. When the log-in operations 
are performed by a plurality of different computer terminals 
with the same user identification information (user's name 
and/or password), the number of computer terminals is 30 
detected. In a first method, it is judged that there is an illegal 
access when the detected number of computer terminals 
reaches a predetermined reference value. In a second 
method, the number of computer terminals in case where the 
log-in operations are performed by the plurality computer 35 
terminals with the same user identification information is 
detected. Further, position information which specifies a 
place or places of the computer terminals which have 
performed the log-in operations is recorded. It is detected 
whether the place or places of the computer terminals are 40 
coincident with the predetermined registered place or places 
or not. It is judged that there is an illegal access when the 
number of computer terminals which have performed the 
log-in operations exceeds the predetermined reference value 
and it is detected that the place or places of the computer 45 
terminals are not coincident with the predetermined place or 
places. 

Further, in the above processing procedure, the illegal 
access judgment standard can be extended as "it is regarded 
that there is illegal log- in operation only when the number 50 
of terminals utilized at the same time continuously during a 
specified time is larger than or equal to a predetermined 
value" and "it is regarded that there is illegal log- in opera- 
tion when the number of terminals utilized at the same time 
in a specified time zone is larger than or equal to a prede- 55 
termined value". 

FIG. 7 shows an example of a picture on a display console 
of the managing computer for reporting illegal accesses. 
Numeral 702 denotes a picture indicating a connecting 
relation of the computers to be managed positioned in the 60 
network and states of the computers displayed by respective 
colors in symbols expressing the computers. Numeral 701 
denotes a picture displaying messages of occurred events in 
the time series manner. For example, in third and fourth 
lines, messages indicating occurrence of illegal access are 65 
displayed. When a computer is specified (for example, 
computer B), the color in the symbol thereof is changed to 
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notify the computer to the manager. Further, when it is 
desired to understand detailed contents of the illegal access, 
a detailed picture 703 is displayed by operation for selecting 
a menu attached to the picture 701. 

In the managing computer, after an illegal access has been 
reported by any processing of FIGS. 3 to 5, a previously 
designated operation can be instructed to a specific computer 
(generally, the computer in which the illegal access has been 
detected). 

For example, the operation is performed by a processing 
program for deleting information of the user who performed 
illegal access from registered information, for prohibiting an 
access using the identification information (user's name, 
code or the like) of the user who performed illegal log-in 
operation, for invalidating to use the identification informa- 
tion or for limiting the use condition thereof. 

There are considered two methods including one method 
in which the processing program is previously incorporated 
into each of the computers and the other method in which the 
processing program is delivered to the computer from the 
managing computer when the program is required and is 
executed in the computer. This procedure is now described 
with reference to FIG. 9. In step 902, when the managing 
computer detects an illegal access, it is examined whether a 
countermeasure processing operation to the reported illegal 
access is defined or not and when it is defined, the counter- 
measure information is read out in step 903. In next step 904, 
it is examined whether the processing program for executing 
the processing operation is stored in the computer to be 
managed or not. When the program is stored therein, only 
the parameter necessary for the processing is transferred to 
the computer to be managed in step 905 and when the 
program is not stored therein, the necessary parameter is 
transferred to the computer to be managed together with the 
processing program for executing the processing operation 
in step 906. The computer to be managed executes the 
designated processing program in step 907 and transfers a 
result of the execution to the managing computer in step 
908. 

Further, when an illegal access is reported to the manag- 
ing computer, a method is considered in which a monitoring 
program is delivered to the computer in which the illegal 
access has occurred so that the computer monitors the 
previously designated program for the purpose of collection 
of detailed information and monitoring of detailed state (for 
example, file updating circumstances, process operating 
circumstances and the like). This procedure can be also 
performed in accordance with the procedure shown in FIG. 
9. 

Moreover, the program for disconnecting a line of the 
local computer in which the illegal log- in has occurred and 
the terminal thereof can be transmitted by the processing of 
FIG. 9. 

According to the detection method of an illegal access 
according to the present invention, the reliable examination 
or inspection as to whether a user is a proper user or 
unauthorized user can be performed to thereby reduce 
misdetection of an unauthorized user and wrong detection of 
a proper user. 

Further, since pertinent events are unified into one group 
from a large number of events to be reported to the manager, 
an amount of information to which the manager pays the 
attention can be reduced. 

In addition, when an illegal access is detected, a coun- 
termeasure for deleting user information having a problem, 
processing for collecting detailed information and the like 
can be performed for the computer of interest automatically. 
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What is claimed is: 

1. A detection method of an illegal access to a computer 
system, comprising the steps of: 

a) collating user identification information inputted from 
an input unit in one or more log-in operations with user 5 
authentication information registered in said computer 
system; 

b) detecting the number of times that said identification 
information is not coincident with said authentication 
information in a series of log-in operations within a 30 
predetermined term; 

c) obtaining final log-in information indicating whether 
said identification information is coincident with said 
authentication information or not in a final log-in 15 
operation; and 

d) comparing said number of times in respect to the 
incoincidence and said final log-in information with a 
predetermined judgment standard to thereby detect the 
presence of the illegal access. 20 

2. A method according to claim 1, wherein when a 
plurality of events for accessing have been occurred and the 
latest event is determined to be one event included in a series 
of preceding events in consideration of a time information 
and user authentification information, those events are 2 s 
reported together as one event with a warning so as to reduce 
the number of warnings to be monitored by a user. 

3. A method according to claim 1, further comprising the 
step of setting said predetermined term for each log-in 
operation when there are a plurality of log-in operations. 30 

4. A method according to claim 3, wherein said series of 
log-in operations is defined to include log-in operations 
performed until the final log-in operation is successful or 
until the number of times of failures in the log-in operations 
within said predetermined term does not reach a predeter- 35 
mined value while successively shifting said predetermined 
term every log-in operation. 

5. A method according to claim 3, wherein it is judged that 
there is an illegal access when it is detected that the number 

of times in respect to the incoincidence reaches a predeter- 40 
mined number of times in said series of log-in operations 
within said predetermined term and said final log- in infor- 
mation represents the incoincidence. 

6. A method according to claim 5, wherein said computer 
system includes a plurality of user computers and a man- 45 
aging computer connected to said user computers through a 
communication network for managing said user computers, 
and said user computer performs said steps a), b), c) and d) 
each time the log-in operation is performed to transfer 
judgment result of said step d) to said managing computer 50 
through said communication network. 

7. A method according to claim 5, wherein said computer 
system includes a plurality of user computers, a managing 
computer for managing said user computers and a commu- 
nication network connecting said plurality of user computers 55 
and said managing computer, and said user computer per- 
forms said steps a), b) and c) to transfer result information 

of said steps a), b) and c) relative to all of log-in operations 
through said communication network to said managing 
computer, which performs said step d) on the basis of said 60 
transferred information. 

8. A method according to claim 7, wherein when an illegal 
access is detected in said step d), a processing program to be 
next executed is transferred through said communication 
network to said user computer in which said illegal access is 65 
made and said user computer performs said processing 
program. 



9. A method according to claim 8, wherein said processing 
program to be next executed includes processing for limiting 
or invalidating use of said user authentication information 
registered in said computer system. 

10. A method according to claim 7, further comprising the 
step of displaying said plurality of user computers connected 
to said managing computer in a picture screen of a display 
unit by means of an icon image and displaying in said 
display screen, when an illegal access is detected in said step 
d), a user computer in which said illegal access is made so 
that said user computer can be specified. 

11. A computer program product comprising: 

a computer usable medium having computer readable 
program code means embodied in said computer usable 
medium for detecting an illegal access to a computer 
system, said computer readable program code means 
comprising: 

means for collating user identification information 
inputted from an input unit in one or more log-in 
operations with user authentication information reg- 
istered in said computer system; 

means for detecting a number of times that said user 
identification information is not coincident with said 
user authentication information in a series of log-in 
operations within a predetermined time; 

means for obtaining final log-in information indicating 
whether said identification information is coincident 
with said authentication information in a final log-in 
operation; and 

means for comparing the number of times with respect 
to the incoincidence and said final log-in information 
with a predetermined judgment standard to thereby 
detect the presence of the illegal access. 

12. A computer program product according to claim 11, 
wherein said series of log-in operations is defined to include 
log-in operations performed until the final log-in operation 
is successful or until the number of times of failures in the 
log-in operations within said predetermined time does not 
reach a predetermined value while successively shifting said 
predetermined time every log-in operation. 

13. A computer program product according to claim 11, 
wherein said illegal access is detected when the number of 
times with respect to the incoincidence reaches a predeter- 
mined number of times in said series of log-in operations 
within said predetermined time and said final log-in infor- 
mation represents the incoincidence. 

14. A computer program product according to claim 11, 
wherein said computer system includes a plurality of user 
computers, and a managing computer connected to said user 
computers through a communication network for managing 
said user computers. 

15. A computer program product according to claim 14, 
wherein said computer readable program code means further 
comprises means for enabling a visual display of said 
plurality of user computers connected to said managing 
computer on a display screen by means of an icon image, 
when said illegal access is detected. 

16. A computer program product according to claim 11, 
wherein said computer readable program code means further 
comprises means for enabling a visual display of said 
plurality of user computers connected to said managing 
computer on a display screen by means of an icon image, 
when said illegal access is detected. 
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